Hi everyone, I ran into a strange issue on my Keenetic router and wanted to share it here in case others have experienced the same.
When I use regular DNS (ISP DNS, Google, Cloudflare, etc.), PPPoE connects just fine. But as soon as I enable DoH/DoT, the PPPoE session starts always showing "Authentication failed". In addition, the connection problem occurs when restarting the PPPoE service or modem.
After looking into it, here’s what seems to be happening:
With DoH/DoT enabled, the router first tries to resolve the hostname of the secure DNS server.
It attempts to do this through the PPPoE interface, but at that point the PPPoE session hasn’t been fully established yet. (Because when I add a normal DNS address, it connects after a while.)
This premature attempt causes the router to trigger a PPPoE authentication error, even though the username and password are correct.
With normal DNS, there’s no need for an early hostname lookup, so the PPPoE session comes up cleanly and only afterwards DNS queries flow through meaning no errors appear.
Problem isn’t wrong credentials, but rather Keenetic’s DoH/DoT “bootstrap” mechanism trying to use the PPPoE link before authentication has completed.
You can post now and register later.
If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.
Question
DogancanYr
Hi everyone, I ran into a strange issue on my Keenetic router and wanted to share it here in case others have experienced the same.
When I use regular DNS (ISP DNS, Google, Cloudflare, etc.), PPPoE connects just fine. But as soon as I enable DoH/DoT, the PPPoE session starts always showing "Authentication failed". In addition, the connection problem occurs when restarting the PPPoE service or modem.
After looking into it, here’s what seems to be happening:
With DoH/DoT enabled, the router first tries to resolve the hostname of the secure DNS server.
It attempts to do this through the PPPoE interface, but at that point the PPPoE session hasn’t been fully established yet. (Because when I add a normal DNS address, it connects after a while.)
This premature attempt causes the router to trigger a PPPoE authentication error, even though the username and password are correct.
With normal DNS, there’s no need for an early hostname lookup, so the PPPoE session comes up cleanly and only afterwards DNS queries flow through meaning no errors appear.
Problem isn’t wrong credentials, but rather Keenetic’s DoH/DoT “bootstrap” mechanism trying to use the PPPoE link before authentication has completed.
1 answer to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.